Skip to content
You're viewing an older version of this GitHub Action. Do you want to see the latest version instead?
play

GitHub Action

sbom.sh-create

v1

sbom.sh-create

play

sbom.sh-create

SBOM.sh - Generate and upload SBOM to sbom.sh using Trivy, Syft, or Grype

Installation

Copy and paste the following snippet into your .yml file.

 
              
- name: sbom.sh-create

              
  uses: codenotary/sbom.sh-create@v1
Learn more about this action in codenotary/sbom.sh-create

Choose a version

sbom.sh-create

SBOM.sh container analysis and scan using Grype provided as a GitHub Action

SBOM.sh GitHub Action

This GitHub Action integrates with sbom.sh to generate and upload Software Bill of Materials (SBOM) for your projects. Utilizing the codenotary/sbom.sh container image, this action supports various open-source SBOM tools such as Trivy, Grype, and Syft.

Features

  • Generate SBOMs for filesystems and container images.
  • Support for multiple scanning tools (Trivy, Grype, Syft).
  • Upload SBOMs directly to sbom.sh and obtain a shareable URL.
  • Optional vulnerability scanning and SBOM score calculation at sbom.sh.

Workflow Dispatch Options

This action can be triggered manually using the workflow_dispatch event. You can provide the following inputs:

  • scan_type: The type of scan to perform, such as trivyfs, trivyimage, grypefs, grypeimage, syftfs, or syftimage.
  • target: The target for the scan, which is applicable for image scans.

When you navigate to the Actions tab of your GitHub repository, you will see an option to "Run workflow". You can select the branch you want to run the workflow on and provide the required inputs.

Usage

To use this action, add the following to your .github/workflows directory in a file like sbom-analysis.yml:

name: "Generate and Upload SBOM"
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  workflow_dispatch:

jobs:
  sbom-scan:
    runs-on: ubuntu-latest
    name: Generate and Upload SBOM
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v2

      - name: Generate SBOM
        uses: codenotary/sbom.sh-create@main
        with:
          scan_type: 'grypefs'
          target: '.' # Target grypefs, syftfs and trivyfs should be "." (current directory), for container images it should be the image name and location

      - name: Output SBOM URL
        run: echo "The SBOM can be found at ${{ steps.sbom_generation.outputs.sbom_url }}"

Inputs

  • scan_type: Type of scan (trivyfs, trivyimage, grypefs, grypeimage, syftfs, syftimage).
  • target: Scan target (applicable for image scans).

About sbom.sh

sbom.sh is a service that allows you to generate a valid Software Bill-of-Materials (SBOM) in CycloneDX or SPDX format. It provides a centralized platform to store SBOMs and facilitates better tracking and analysis of your software components.

For detailed documentation on the sbom.sh service and GitHub Action, visit https://sbom.sh or https://hub.docker.com/repository/docker/codenotary/sbom.sh/general.

License

This GitHub Action and corresponding scripts are released under the Apache2 License. See LICENSE for details.

Contributing

Contributions are welcome!